UAE Promotes Unsafe Communication Apps That Violate Data Privacy

The digital safety advocacy platform “SMEX” has highlighted the United Arab Emirates’ promotion of unsafe communication apps that violate data privacy, such as “ToTok,” “Baaz,” and “Botim,” as part of Abu Dhabi’s broader strategy of surveillance and espionage.

According to SMEX, since October 7, 2023, several social media platforms have been deleting content related to Palestine. This ongoing digital censorship has sparked “digital protests” calling for the development of an Arabic social media platform that ensures the free circulation of content related to Palestine.

While this demand is legitimate, it overlooks how some regional governments promote so-called “local” social media apps that have proven to follow less stringent privacy standards than platforms like X (formerly Twitter) and Meta. The UAE and Saudi Arabia have been at the forefront of promoting these apps.

SMEX investigated several applications developed by Gulf-based companies or promoted by Gulf media outlets. Their forensic analysis aimed to understand the security of these apps, including how they collect, store, and share data, as well as potential privacy violations.

Kwai: An Arabic-Localized App with Questionable Privacy Practices

The Chinese company “Kuaishou” developed the “Kwai” app, a short-video sharing platform similar to TikTok, which has surpassed 100 million downloads on Google Play.

Saudi and Emirati media outlets have heavily promoted Kwai as an app that “focuses on Arab culture.” The Saudi news outlet Arab News and the Emirati platform Zawaya both described Kwai as a “promising Arab social media platform” that “reflects culturally appropriate Arab content.”

In March 2024, Joyo Technology Pte. Ltd., the current owner and operator of Kwai, announced plans to expand in Saudi Arabia, emphasizing “localizing and customizing the app for the Kingdom’s society.”

However, SMEX’s forensic analysis revealed privacy concerns regarding Kwai, particularly its sharing of user data with third parties. The app’s privacy policy vaguely states that “user data will be used to exercise our rights where necessary” without specifying the scope or implications of this practice.

Despite collecting a vast amount of personal data, Kwai’s policy lacks transparency regarding the types of data collected and the reasons for gathering them. The app stores sensitive data, including users’ banking details for in-app purchases, without proper encryption, increasing the risk of data breaches.

Connor Metihan Durmaz, a policy analyst at SMEX, stated: “Kwai’s policy is problematic due to its extensive and unjustified data collection practices.” He further added that the app gathers extensive information, including battery status and Wi-Fi network details, without clear justifications.

ToTok: A Government Surveillance Tool Disguised as a Messaging App

The second app analyzed by SMEX was “ToTok,” a messaging application developed by the UAE-based company G42, which specializes in artificial intelligence research across various sectors, including sports, public services, and healthcare. The app was launched in 2019.

However, The New York Times later exposed ToTok as a surveillance tool used for espionage. Following this revelation, Google Play removed the app, and it was never available on Apple’s App Store.

SMEX’s forensic analysis found that ToTok collects device-specific data, enabling it to track and identify individual devices. If linked to user accounts or personal details, this data can be exploited to monitor individuals across different apps and services, raising significant privacy and surveillance concerns.

Furthermore, ToTok requests permission to disable Android’s security keyguard, which protects against unauthorized device access. This capability allows the app to temporarily disable the screen lock, posing a severe security risk.

Baaz: A Suspicious Social Media Platform with Government Links

The third app analyzed was “Baaz,” developed by Baz.Inc. It was introduced as an Arabic alternative to Clubhouse, offering voice-based social networking where users can join discussion groups and live conversations. Although the company is headquartered in San Francisco, the app was launched in the UAE.

Some users have speculated that Baaz serves as a surveillance tool. However, its availability on Google Play and the Apple App Store contradicts this claim, as these platforms conduct security checks before listing applications.

Despite this, Baaz’s developer is subject to the UAE’s Federal Data Protection Law, which took effect on January 2, 2022. One of the law’s main shortcomings is its limited scope of governance. For example, government data is excluded from its protection framework, meaning public sector entities handling personal data are not bound by its privacy requirements. This exemption facilitates state surveillance activities.

Botim: UAE’s Most Popular VoIP App with Privacy Risks

SMEX also analyzed “Botim,” the most widely used Voice over Internet Protocol (VoIP) app in the UAE. It was developed by Algento, a private U.S.-based company specializing in mobile services and software.

Since WhatsApp is banned for voice and video calls in the UAE, Botim serves as an alternative. While WhatsApp offers end-to-end encryption, preventing third parties from accessing user data, Botim only encrypts data during transmission. However, it allows users to request data deletion.

Durmaz noted that “governments can compel apps to provide user data under the pretext of national security. If an app refuses, it risks being banned, restricting citizens’ access to the platform.”

Moreover, Botim displays ads to free users, exposing them to malicious advertising, or “malvertising.” Clicking on such ads can lead to malware infections, phishing attacks, or other cybersecurity threats.

According to VirusTotal, a cybersecurity analysis platform, Botim is associated with suspicious sources that could compromise user security. The app’s policy also states that it is not responsible for how third parties collect, store, or use personal data, raising concerns about intrusive profiling and targeted advertising similar to Meta’s practices.

A Growing Threat to Digital Privacy

SMEX concluded that these applications pose significant security threats as they “collect excessive user data, adopt weak security standards, and fail to give users control over their privacy settings.”

Given the limited availability of privacy-respecting messaging apps in Southwest Asia and North Africa, users are encouraged to explore decentralized social media platforms. As Durmaz explained, “These platforms operate through a network of independently managed servers, ensuring no single company has control over all data and interactions.”

The UAE has prioritized investing in surveillance programs over developing ethical social media platforms, choosing data collection over innovation. Meanwhile, users are left with little choice but to compromise their privacy to reach wider audiences on mainstream social media networks.